('binary' encoding is not supported, stored as-is) Seeing scans from 73.247.223.148, src port 23807, dest port 36947 TCP over the last couple of months. This looks like the Stumbler trojan/scanner due to windows size 55808, sack OK and WScale = 2. However, I was under the impression that Stumbler used random source addreses when spoofing connections. I've seen this particular IANA reserved source address 74.247.223.148 for a couple of months on some of my Black Ice sensors. The source port is always 23807, and destination is always 36947. I can't find any references for this port but of course it could be any old trojan, nc listener, or anything. There were a couple of legitimate source 12.0.0.0/8 systems attempting to find the same destination port 36947. Maybe spoofed, looked like more stumbler traffic. These psuedo-legitimate connections were "from" different source IP's but used the same source and dest port. This could be from some variant of Stumbler or perhaps a version that's had some bugfixes applied, or some other tool riding the same wave. This is probably not new information, however I have not seen mention of specific port patterns wrt stumbler or the 55808 traffic. Curt Wilson Netw3 Security www.netw3.c0|\/| --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 15:54:17 PDT